Permitting empty realm strings?

[PCManticore]

Hey,

First of all, I'm definitely not very acquainted with OAuth, so this question might seem stupid. I'm porting an application from oauth to oauthlib and I noticed that in oauth I have this string in the Authorization header realm="". I can't replicate this with oauthlib, by passing realm="" in the constructor, since doing this check here https://github.com/idan/oauthlib/blob/master/oauthlib/oauth1/rfc5849/parameters.py#L77 ignores any empty strings. Wouldn't it have been better to use if realm is not None? Now I don't know if an empty realm makes sense or not.

Thank you.

[foxx]

RFC5849 doesn't specify whether realm can be an empty string or not. However, this would be a backwards incompatible change, as some people may be relying on the opposite behaviour. I've had a look at some other libraries, and they seem to implement it the same way oauthlib has.

If you can find any evidence that other libraries handle this differently, please let me know. Otherwise, one option is for us to add a flag, disabled by default, which changes the behaviour. This does add slightly more code complexity, would need to see a +1 from another contributor for this.